conditional remember-me w/ openid

[blaine]

The openid sample app has remember-me configured, but has no checkbox for it on the login chooser page. I guess that this means that remember-me is always active.

To test remember-me, is it correct that I need to let the session time out (decrease my session timeout for practicality), because I think if you log out explicitly you should not be logged back in automatically. Is that correct? You can see that I have very little experience with remember-me. Happens to not have been a requirement for my apps until now (mostly due to security requirements).

My main question here is, with openid is it possible for the end user to specify that they want remember-me or not, as is typical with a checkbox on a traditional login page, in case the user is using a public PC, shared account, etc., or is just paranoid.

[Luke Taylor]

The openid sample app has remember-me configured, but has no checkbox for it on the login chooser page. I guess that this means that remember-me is always active.

If you're talking about the 3.1 sample app (which uses a third-part OpenID selector library), then the remember-me server configuration is probably left over from when we had our own simple login page. It won't be active unless the remember-me parameter is submitted with the login request (i.e. uness the checkbox is present).

To test remember-me, is it correct that I need to let the session time out (decrease my session timeout for practicality), because I think if you log out explicitly you should not be logged back in automatically. Is that correct?

You can simply close your browser and start a new session instead. Logging out will clear the remember-me cookie unless you configure it not to.

My main question here is, with openid is it possible for the end user to specify that they want remember-me or not, as is typical with a checkbox on a traditional login page, in case the user is using a public PC, shared account, etc., or is just paranoid.

It should be. Just add the checkbox, as with the other sample apps.

[blaine]

Thanks Luke.

If you're talking about the 3.1 sample app (which uses a third-part OpenID selector library), then the remember-me server configuration is probably left over from when we had our own simple login page. It won't be active unless the remember-me parameter is submitted with the login request (i.e. uness the checkbox is present).

Ah. Good to know.

You can simply close your browser and start a new session instead.

Wow, this will save me a lot of time.
I have been under the false impression, for many years, that browsers cache sessions to disk (and restore them upon restart if the server hasn't timed out the session), because Tomcat's manager web app definitely restores your login session when you restart browser. Apparently, that app does it's own non-conditional remember-me (and gives no indication of that).

Logging out will clear the remember-me cookie unless you configure it not to.

That's what i thought.

It should be. Just add the checkbox, as with the other sample apps.

Great. I just dug into the SS code, and I see that that http param _spring_security_remember_me is probably used by both j_spring_openid_security_check and the traditional j_spring_security_check by virtue of both of them using AbstractRememberMeServices where it (_spring_security_remember_me) is defined.

Can't wait to test this out, but I can't for another 10 hours or so because I'm behind a firewall.

[blaine]

Works great! Thanks for the tips.